On 09/25/2011 03:52 AM, Al Varnell wrote: > When I go to <http://clamav-du.securesites.net/cgi-bin/clamgrok> and enter > "OSX" I get a list of 34 hits for Mac OS signatures, but at least one is > missing. > > When I open my daily.cld I can find the following: > > MacOSX.Revir-1;Engine:51-255,Target:9;(0&1&2);<string>;<string> > > which was added late yesterday but is not in the above list. > > Any idea why it wouldn't show up?

That is a logical signature (.ldb). Just a guess but maybe the site is using an old version of ClamAV's sigtool that doesn't support that (0.95.3?), or they unpack the CVD but don't search in .ldb files.

> On 09/25/2011 03:52 AM, Al Varnell wrote: >> When I go to <http://clamav-du.securesites.net/cgi-bin/clamgrok> and enter >> "OSX" I get a list of 34 hits for Mac OS signatures, but at least one is >> missing. >> >> When I open my daily.cld I can find the following: >> >> MacOSX.Revir-1;Engine:51-255,Target:9;(0&1&2);<string>;<string> >> >> which was added late yesterday but is not in the above list. >> >> Any idea why it wouldn't show up? > > That is a logical signature (.ldb). > Just a guess but maybe the site is using an old version > of ClamAV's sigtool that doesn't support that (0.95.3?), > or they unpack the CVD but don't search in .ldb files.

Thanks Edwin. Do you or anybody else have an email address for the tool POC so I can discuss it with them? I know that ViaVerio sponsors the host that it's on in Virginia, USA, but can't come up with a name.

> > of ClamAV's sigtool that doesn't support that (0.95.3?), > > or they unpack the CVD but don't search in .ldb files. > Thanks Edwin. Do you or anybody else have an email address for the tool POC so I can discuss it with them? I know that ViaVerio sponsors the host that it's on in Virginia, USA, but can't come up with a name.